• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Barcamp Perth 4.0 Web Security
 

Barcamp Perth 4.0 Web Security

on

  • 1,886 views

 

Statistics

Views

Total Views
1,886
Views on SlideShare
1,883
Embed Views
3

Actions

Likes
3
Downloads
0
Comments
0

2 Embeds 3

http://coderwall.com 2
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • With Great Power Comes Great Responsibility… <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/ilcello/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a> http://en.wikipedia.org/wiki/Uncle_Ben#.22With_great_power_comes_great_responsibility.22
  • Who is this guy?, I hear you thinking.. Well. Hi, I’m Christian Frichot and I’m VERY happy to be presenting here this morning. By Night I’m a drummer, by day I’m an information security specialist for a Bank and I’m 100% geek. (I’m not in management and still try and get my hands dirty as much as I can) <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/lwr/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a> <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/jmilles/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • But what am I on about?
  • Well I’ll be talking about the Internet… <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/jurvetson/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • .. web applications.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/meg/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • And Security.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/muehlinghaus/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a>
  • Well.. Web Application security specifically. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/purpleslog/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • Before I begin though I need to let you know that I’m probably less of a “hacker” (()) than most of you.. Whilst I still develop a bit, my current role only gives me freedom to tinker and help build process improving tools..so that’s a bit of…. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/pixelfrenzy/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • Django…. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/kogakure/</a> / <a rel="&quot;license&quot;" />CC BY-SA 2.0</a>
  • Perl.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/elfsternberg/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a>
  • And Linux misc shhhhtuff.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/a_mason/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • First though lets talk about the Internet.. It’s ubiquitous, it’s enormous, it’s cute (()). <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/rzrxtion/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • Really.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/bahkubean/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a>
  • Damn… <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/kevinsteele/</a> / <a rel="&quot;license&quot;" />CC BY-ND 2.0</a>
  • Cute. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/helfyland/</a> / <a rel="&quot;license&quot;" />CC BY-ND 2.0</a>
  • And it’s FILLED with these.. Web applications.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/meg/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • Lets not even mention this guy. NetNeilsen’s have reported on the fact that “Social Networking was the global phenomena of 2008” .. 2008.. That was ages ago now.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/fbouly/</a> / <a rel="&quot;license&quot;" />CC BY-ND 2.0</a>
  • You remember what happened in 2008?
  • “ Two Thirds of the world’s Internet population visit social networking or blogging sites” Back then Social networking use to consume 1 in every 15 minutes of global Internet time. (()) Now it’s 1 in every 11.
  • And then the other week Facebook overtook Google as the most hit website… http://www.smartcompany.com.au/internet/20100318-how-facebook-overtook-google-in-the-us-and-why-your-business-needs-to-act.html
  • .. And where there are people – there is crime. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/alancleaver/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • In the old days cybercrime was very different.. Crackers were toying with exploitation of web servers for infamy. Usually leading to Defacement. Initially these attackers displayed a degree of “technical skill”.
  • Things changed as the malware and exploitation industry matured.. Everything started to become available as “Kits” Mpack is one such web exploitation kit that could cost anywhere between $500 – 1000 US and is used to inject malicious code into web pages, either by iframes or PDFs or whatever – install keyloggers, or whatever the user wanted. Soon there was IcePack, FirePack, Traffic Pro and more. This screenshot is of the MPack management interface, so the implementers of the kit could monitor how many PCs they were infecting. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
  • Whilst MPack was focusing on how to put malicious payloads onto computers, the other end of the malware world was also advancing. The Zeus malware, sometimes called a botnet, is a really nasty keylogger that is well known for evading anti virus and being one of the most effective bank targetting keyloggers out there.. What was happening was the consumerisation of malware construction, maintenance, deployment and implementation This decreased the technical skills required to perform complicated attacks. This is where terms like Script Kiddies and that would come from, people who didn’t necessarily have the knowledge to perform an attack, but knew how to use the tool. http://www.flickr.com/photos/sebastiagiralt/2251661156/
  • The attackers started to realise that there was a lot of money to be made, not just by installing keyloggers but by stealing peoples identities. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/herry/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • ID theft can lead to all sorts of impacts on consumers: - Using your credit card details - Opening of bank accounts - Taking out loans - Conducting business under your names. Now I know that ID theft is a misnomer because it’s impossible to steal an identity, so it’s often interchanged with identity fraud. There are numerous types including, not just the typical type to gain access to funds but: - Business/commercial identity theft – to use a business name to obtain credit - Criminal identity fraud – if you pose as another when apprehended for a crime - medical identity theft – to obtain access to medicare or drugs. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/23905174@N00/</a> / <a rel="&quot;license&quot;" />CC BY 2.0</a>
  • Some statistics on id theft in australia (()): - in 2008 about 23% of the population affected
  • In 2009 26% were affected
  • The cost of ID theft against Australia is reported to be 3.5 billion dollars annually
  • Another interesting statistic
  • But what has this got to do with web apps I’m building? More often than not malicious content that makes its way on to the Internet is not legitimately purchased by the attackers. You think they buy a slicehost Virtual Private Server and host their nasties on there? Supposedly 80% of all phishing sites are hosted on legitimate websites through compromise. Web application vulnerabilities lead to hijacking of legitimate content, for example through the use of file injection attacks. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/hmvh/</a> / <a rel="&quot;license&quot;" />CC BY-SA 2.0</a>
  • But what about if I’m only developing internal apps? Particular types of vulnerabilities thrive in perimeterised networks. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/negatyf/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • Back in 2006 Jeremiah Grossman of WhiteHat Security presented on some of the things that can be done from the Internet against Internal networks through the browser, including: … Everything is web-enabled now. The perimeter is diminishing.
  • For example… Cross Site Request Forgery attacks. .. Before I continue I’ll explain what cross site request forgery, or CSRF, attacks are. Simply put, a system vulnerable to this will change its state upon the receipt of a request, without any sort of verification (except for the automatically included authentication tokens such as cookies or Authorization HTTP headers).
  • This is the definition from wiki
  • If Bob’s bank keeps his authentication information in a cookie, and the cookie hasn’t expired, then the attempt above to load the image will submit the withdrawal form with this cookie, thus authorising the transaction without bob’s approval.
  • This type of attack is known as a “confused deputy attack”. The deputy in the example is Bob’s web browser which is confused into misusing bob’s authority at mallory’s direction. http://www.flickr.com/photos/8363028@N08/4209230521/
  • So lets get back to our example.
  • Lets set the scene.. Here we have a really typical environment.. An admin who sits on an internal network segmented off from the Internet via all sorts of good stuff like firewalls and that. And on this internal network is the management interface for .. Lets say.. Their storage system .. Their SAN.
  • The admin gets to work and opens a browser and logs into the interface on his SAN. The system is just using BASIC HTTP authentication, but even internally it’s over HTTPS so those credentials are protected from eavesdropping. ..
  • The status on the SAN looks fine .. So he then does what he normally does and opens up a bunch of tabs to browse around the sites he normally visits.
  • Maybe this company uses web-mail for their corporate mail ..
  • I can’t remember if I mentioned that this interface here is susceptible to cross-site request forgeries.. Which means it will change its state upon the receipt of a request, without any sort of verification..
  • So our admin sees there is an email from an ex employee and opens it up – and within it there is an embedded tag.
  • Because his browser had previously authenticated, when it submits this IMG request in the form of a HTTP GET to the management interface it includes the Authorization header
  • Voila..
  • You’re probably wondering whether or not these actually happen? 1 – 2009 – Moot, the 20-something year old founder of 4chan becomes “the world’s most influential person in government, science, technology and the arts” 2 – Mikeyy Mooney uses a combination of CSRF and XSS to get numerous people tweeting about his site, stalkdaily 3 – 2008 – Trojan utilises CSRF to modify the DNS server configuration of popular DNS routers.
  • But don’t give up all hope.. There are some good recommendations to help reduce the likelihood of this attack. http://www.flickr.com/photos/soloflight/3010505750/
  • 1 – Although POSTs can also be automated via Actionscript, javascript, etc 2 – It’s generally accepted that the inclusion of a random nonce, or parameter included within the request and verified through session data is effective, because an attacker will be unlikely to know to include this “parameter” in their forged request.
  • Confusing? Well I just try and think about all the legacy code out there and the poor chance that the developers would’ve had knowing what to do about these types of issues. http://www.flickr.com/photos/tambako/3593686294/
  • When web developing firms started to take their application security seriously they used to have to bring in penetration testers, or security testers, to validate their systems at the end of the development lifecycle. These are typically known as.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/delhaye/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a>
  • Breakers. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/sarflondondunc/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a>
  • It is commonly recognised that this is the most expensive time to rectify security faults. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
  • Security therefore becomes much cheaper and effective during the earlier stages of the lifecycle. The requirements gathering, design and development phases. We like to think of people who assist security in the earlier phases as “builders”.
  • This shift is happening .. Which means that the responsibility for these issues is also changing. Perhaps to people like yourselves (( ))
  • But don’t worry – the sky is NOT falling. There are a lot of resources out there.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/fabiogis50/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • Including (()) OWASP. .. Which unfortunately has nothing to do with wasps. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/markop/</a> / <a rel="&quot;license&quot;" />CC BY-NC-ND 2.0</a>
  • The Open Web Application Security Project is an “Open Community dedicated to enabling organisations and individuals to conceive, develop, acquire, operate and maintain applications that can be trusted” Open .. And security? .. I know that sounds like a ..
  • Paradox..Historically security seemed to be based on secrets and degrees of trust and clearance.. We know generally acknowledge that security through obscurity.. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/st3f4n/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • Just doesn’t work. <a rel="&quot;cc:attributionURL&quot;" />http://www.flickr.com/photos/kolya/</a> / <a rel="&quot;license&quot;" />CC BY-NC-SA 2.0</a>
  • So what does OWASP do? .. What’s it about?
  • These projects include:
  • The OWASP Guide – which “is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.”
  • The Software Assurance Maturity Model, or SAMM – which “is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. “ (If you’re interested in this look out for an upcoming Australian Information Security Association presentation)..
  • The OWASP Top Ten, which “represents a broad consensus about what the most critical web application security flaws are”
  • WebGoat which “is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons”
  • Webscarab, which “is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.”
  • And finally the Enterprise Security API or ESAPI. The purpose is simple…
  • ESAPI is NOT a framework, like Spring or Struts, it’s a set of foundational security controls.
  • To allow for language-specific differences ESAPI is based on the follow design principles.
  • These are the controls that are implemented.. And here is a an example using the ESAPI Locator class .. This allows you to retrieve singleton instances of a particular control
  • This example shows utilising the input validator and output escaping to guard against SQL injection.
  • To tie back to our previous example of our back end web management interface here are a few controls that ESAPI can bring. Including the Authenticator
  • Access controller .. So with these two interfaces we no longer have to rely on HTTP Authorization headers
  • And CSRF tokens.
  • So where is the ESAPI project at at the moment? Well, the Java version is up to version 2.0 release candidate 6, which means they’ve got a full reference implementation. PHP is well underway with a number of completed controls, but there are some yet to be done. .NET is at around versin 0.2.1, but have implemented a number of controls They’re also working on Cold Fusion Python Javascript Haskell Force.com http://www.flickr.com/photos/st3f4n/2860706946/
  • So don’t re-invent the wheel..well at least the security wheel. http://www.flickr.com/photos/onkel_wart/4038437003/
  • And don’t be concerned.. http://www.flickr.com/photos/sophistechate/2758739495/
  • You guys are empowered to build new ways in which we can communicate.. http://www.flickr.com/photos/dalbera/2738451853/
  • Just remember what uncle ben didn’t say :P

Barcamp Perth 4.0 Web Security Barcamp Perth 4.0 Web Security Presentation Transcript